Apple’s AirDrop



China’s claim to have cracked AirDrop to get iPhone users’ details has been backed up by security researchers who have been warning Apple for years.

China’s state-back Beijing Institute announced that it has been using iPhone logs to identify users sending and receiving content over AirDrop. While it did not detail the process, security researchers are saying both that AirDrop is insecure, and that Apple has been repeatedly told of problems.

The claim that sender details can be found in device logs is confirmed by MacWorld, although testers were only able to uncover the name of a sending iPhone, and Bluetooth signal strength by accessing the console log on a Mac that received a file over AirDrop. The name and signal strength were stored in an AirDrop subprocess that was part of the overall “sharingd” process.

That AirDrop subprocess appears to contain the email and phone number of the sending iPhone, but they are stored in hash values that the testers were not able to translate to plain text.

Presuming that this is how China’s Beijing Institute is using AirDrop to identify who it calls “suspects,” there is a further element that means Apple’s feature is insecure. Security researcher Alexander Heinrich — who has also found issues with Find My — says that AirDrop requires a verified Apple ID before a connection is made.

While the Apple ID email and phone number are again stored as hash values, they are reportedly easy to decipher.

Note that Heinrich’s discovery only works while AirDrop is actually in use. China’s approach discovered a log on the receiving iPhone, which suggests that iPhone has to be confiscated before it can be searched.

Nonethelss, Heinrich says that no only has the vulnerability been reported. but that Apple itself was subsequently questioning researchers during the development of iOS 16. He says that while he has demonstrated a more secure AirDrop, it would be incompatible with older iOS versions, so it has yet to be implemented.

Separately, Apple has just been granted a patent for a version of AirDrop. It would use light instead of Wi-Fi and Bluetooth, and would consequently be both faster and more secure.

Source link